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ABSTRACT 



A method and systems provided for basis conversion in a cryptographic system. The 
method comprises the steps of a first correspondent transmitting an element represented 
in the first basis to an intermediate processor, the intermediate processor converting the 
element into a second basis representation and forwarding the converted element to the 
first correspondent who then uses the converted element in a cryptographic operation. A 
fiirther embodiment of the invention provides for the intermediate processor to perform 
the basis conversion on a field element and then forward the converted element to a 
second correspondent. A still further embodiment of the invention provides for the 
correspondents in a cryptographic scheme making use of a bit string as a fimction of a 
sequence of traces of a field element, wherein the bit string is a shared secret for 
performing certain cryptographic operations. 
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METHOD AND APPARATUS FOR nNITE FIELD BASIS CONVERSION 



The present invention relates to cryptogr^hic systems and more particularly, to the 
conversion of elements in a finite field having one basis to elements of a finite field having 
5 another basis and wherein the elements are used in a cryptographic operation. 



BACKGROUND OF THE INVENTION 

Cryptographic operations are generally implemented on elements in a finite field. 
Various finite fields are of interest to cryptographers for example, the multiplicative groups of 
10 prime fields F(p)^ the multiplicative group of finite fields of characteristic two, F(T) and elliptic 
curve groups over finite fields, E(Fp) or E{F^^ ) . The elements in a given finite field are 

represented in terms of a basis for the finite field. The bases are also elements of the finite field. 
Certain efficiencies may be realized in cryptographic operations by choosing a particular 

set of bases for that finite field. For example, in the finite field F(2"^, two common choices of 
1 5 bases of the polynomial basis and a normal basis. A problem arises though in the choice of basis 

since conununication between the two parties, although using the same cryptographic scheme 

but having different bases elements, requires the parties to perform a basis conversion operation 

on the field elements in order to obtain the same cryptographic result. 

In general, if we let F((f) be a finite field, where q is a prime or a prime power, the 
20 degree of the field is n and its order is q'*. A basis for the finite field is a set of n elements bo , 

bi,. . .bm-i e F(<f) such that every element A of the finite field can be represented uniquely as a 

linear combination of basis elements: 



1=0 

25 

where the a, € F(q) are the coefficients. Arithmetic operations are then performed on this 
ordered set of coefficients. 



It may be seen then generally that by using a different basis, a different ordered set of 
30 coefficients is used. 
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Various techniques have been implemented to convert between two choices of basis for a 
finite field. A conventional approach involves using a matrix multiplication, wherein basis 
conversion is performed using a change of basis matrix m, resulting in a matrix of size m^. If m 
is typically 160 bits, then this occupies significant storage in devices such as a smart card. 
5 General finite field techniques are described in the "Handbook of Applied Cryptography", CRC 
Press, 1996 by S.A. Vanstone et al and incorporated herein by reference. Other techniques for 
basis conversion are described in United States Patent No. 5,854,759 to Kaliski et al, also 
incorporated herein by reference. 

1 0 SUMMARY OF THE INVENTION 

The present invention seeks to provide a method and apparatus for basis conversion, that 
is generally efficient in terms of memory and computation time and is particularly adapted for 
use with smart cards and other low power cryptographic tokens. 

In accordance with this invention, there is provided a method for basis conversion, the 
1 5 method comprising the steps of a first correspondent transmitting an element represented in a 
first basis to an intermediate processor; the intermediate processor converting the element into a 
second basis representation; forwarding said converted element to the first correspondent; and 
the first correspondent operating on the converted element in a cryptographic operation. 

20 BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become more 
apparent in the following detailed description in which reference is made to the appended 
drawings wherein: 

Figure 1 is a schematic diagram of an embodiment of a basis conversion system in 
25 accordance with the present invention; 

Figure 2 is a schematic diagram of a fixrther embodiment of a basis conversion system in 
accordance with the present invention; and 

Figure 3 is a flow diagram illustrating a key exchange scheme in accordance with an 
embodiment of the invention. 

30 
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DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Referring to figure 1, a method according to a first embodiment of the invention is shown 
generally by nxmieral 10. In this embodiment, a pair of correspondents are represented by A and 
B and an intermediate processor, such as a server, certifying authority or other helper processor, 
5 is represented by H. It is assumed the correspondents A and B include processors for performing 
cryptographic operations and the like. Specifically, A and B perform cryptographic operations n 
a basis and , respectively. It is fiuther assumed that the respective cryptographic 
parameters are contained within the entities A and B, For example in an elliptic curve scheme 
the system parameters include at least a point P on the elliptic curve, the order of the curve and 
1 0 the parameters of the elliptic curve equation E. 

In this embodiment, the entities A and B generates a respective random value t/, 
generally the private session key and each compute a pubUc value kPy represented in terms of 
their respective bases J9j and >ft. One of the entities, A for example, transmits its public key kP^\ 
to the server K The server performs a basis conversion utilizing one of many basis 
1 5 conversion algorithms to convert the public key kP^\ represented in basis jS/ to a public key kP^2 
represented in terms of the basis The converted key is transmitted back to the correspondent 

A. Thecorrespondent A then computes signature s = k"*(h(m) + dr), where r = Ap32. The 
signature s and r are then transmitted to the other correspondent B, which is then processed by B 
in the basis Similarly if correspondent B wishes to communicate with A it also transmits its 

20 public key kPpa to the server, which performs the conversion on the key and sends it back to the 
correspondent B. The correspondent B also computes a signature using r = kP^\ , 

In this embodiment, a helper or an intermediate processor is utilized to perform the basis 
conversion. Furthermore the cryptographic scheme is not compromised since the public key may 
be transmitted in the clear, without requiring a secure communication path between the 

25 correspondent and the server. 

Referring to figure 2, a second embodiment according to the invention, is shown 
generally by niuneral 20. In this embodiment, each of the correspondents A and B have a 
respective public key aP represented in terms of basis J9j and bP represented in terms of basis J^. 
The first correspondent A transmits its public key aP to the server H which performs the basis 

30 conversion on the element to a representation basis and transmits this key aPw to the second 
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corr^ondent B. The second correspondent B also transmits its public key bPi,2 to the server 
where a basis conversion is performed on the key to the basis of the first correspondent. The 
key bP^\ is forwarded to the first correspondent A. Each of the correspondents then compute a 
common key by combining its private key with the other correspondents received public key. 
5 Thus, A computes abP^i and B computes baP^2' 

The correspondents have now performed a key exchange, each having a shared key, and 
only one of the correspondents need perform a basis conversion. The keys may then be used in 
subsequent steps of the encryption scheme. 

In a third embodiment, again it is assumed that the correspondents A and B operate in 
10 bases pi and P2 respectively. The bases pi and P2 may represent any basis. Furthermore, we 
define a field element a such that correspondent A represents the element a in terms of the basis 
pi and correspondent B represents the field element in terms of basis P2. The correspondents 
make use of a bit string that is a function of a sequence of traces of the field element as a shared 
secret to perform the certain cryptographic operations. 
1 5 In this embodiment if we let p be a prime and let q =p"', where m >1 . Let Fq be the finite 

field having q elements and Fg"y the n-dimensional extension. The cyclic group G of F(f over 
Fq is generated by the mapping cia) = or^ , 0(e Fq", and is of order /i. We may then define the 

trace fimction of Fq" over Fq as 

' r^C 1=0 

20 For brevity, the trace fimction is simply represented as Tr. In the method of the present 

invention we make use of the property that the traces Tr(api) = Tr(C<p2)» that is the traces of an 

element <x represented in terms of a basis pi is the same as the trace of the element represented 
in terms of basis P2. 

If a key of length n = 1 28 bits is to be constructed, then the traces of odd powers of a are 
25 taken. The traces, namely Tr(a), Tr( a 3), . . .Tr(a^^^), are either 0 or 1 . Since the trace is 

independent of the representation and it does not matter, which one of the entities performs the 
trace. As an aside it may be noted that we could also use the trace Tr(fi(a)). . .Tr(fk(a)) that is the 
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trace of F(2") maps to the elements [0,1] or F(2). Therefore, fj mq)s F (2") to F (2). In general, 
any invariant function may be utilized for the trace. 

In general if F(q") is the finite field and F(q) is the ground field over which it is defined, 
the elements of the finite field can be represented in a number of ways depending on the choice 
5 of basis. Two common types of basis are polynomial basis and normal basis. If p 1 is a 

polynomial basis, then the basis elements may be represented as 1, p, p^. . .p""^ where p is a root 
or generator. Assuming the fimction f(x) = 0 and f(x) is an irreducible of degree n i.e irreducible 
over the ground field . Then, if a field element is given by a = ao + ai p' . + an.i P""\ the trace is 
given by 

1 0 Tr(a) = ao + a,Tr(p) + a2Tr(p' ) . . . + a„-i Tr(p"-'). 

It may be observed that the trace is linear and if the irreducible f(x) has the form 
x" + g(x) where the degree of g(x) is k, then 
Tr(p*) = 0forj = l,2.,.n-k-l. 
If the irreducible polynomial is given by 
15 x" + an.ix"*^ + a„-2x"'^... + ai 

and if a„.i = 0 then Tr(p) = 0, and an-i = 0 and an-2 = 0 then Tr(P^) = 0. The observation is that if 
consecutive coefficients of the field element a are zero then the trace of that number of terms is 
zero. 

Thus, we may use the trace bit string as a shared secret to perform the remaining 
20 cryptographic operations. In deciding upon a key, the users (correspondents) normally select a 
bit string that is a fimction of a sequence of traces of a selected field element. For example if a 
bit string (key) of length 3 is desired, the trace of a, a^, could be used. The order of the 
sequence of traces may on occasion be arbitrarily chosen but known to the correspondents. The 
following examples more clearly illustrate the derivation of a key. 
25 Examplel : In this example the trace of a and is used to create a binary key of length 2. 

Basis 1 : The irreducible chosen is f(x) = x^ + x+ l=0;x^ = x+ l 
Element a in this basis is a = (1 + x^) then the key = (Tr(a), Tr(a^)) 
Tr(l) =1 + 1^+1^=1; (x^ = x^ + x) 
Tr(x) =x + x^ + x'^ 
30 = X + x^ + x^ + X = 0 
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Tr(x^) =\^ + X^ + X^ 

= + (x^ + x) + (x^ + xf 
= X + (x^ + x) + x^ = 0 
Tr(a) = Tr(l+x^) = Tr(l) + Tr(x^) = 1 + 0 = 1 
5 a = a.a^ = (1 + x^)(l+x^)^ = (1 + x^)(l + x") 

= (l+x^)(l+x + x^) 

= l-H X + X^ -H X^ + x' + x" 
= 1 -I- X -t- X^ -t- X* 

= 0 -t- x^ + X 

10 =x^-i-x 
Tr(a^) = Tr(x^) -i- Tr(x) = 0 + 0 = 0 
Thus the key = (1,0) 

Example 2:In this example a different basis is used (basis 2) and a is converted to its 
representation in this basis by (1) finding a root r for the polynomial for basis 1 in the 
1 S representation generated by basis 2, and (2) then evaluating the polynomial representing a in 
basis 1 at r. The traces of a and are calculated in basis 2 to generate the same binary key as 
was created in basis I above. 

Basis 2: The irreducible chosen is g(y) = y^ + y^ + l; y^ = y^+l 
To find a in basis 2, find a root of f(x) = x^ + x + 1 (the irreducible in basis 1) in basis 2. 
20 Note:(y+l)^ + (y+l)+l=/ + y^ + y + l +y+ 1 + 1 = 0 + y+ 1 +y+ 1 =0 

Let r = y + 1, then a = l+x^-*a' = l+ r^=l+(y +1)^ = 1 + y^ + 1 = y^ 

Key = (Tr(a'), Tt(a'fy, y'» = y3-Hy = y2-^y-H 

Tr(l) =1 + 1 + 1 

Tr(y) =y + y^ + y* = y + y^ + y^ + y+ 1 = 1 
25 Tr(y2) =y^ + y'* + y* = y^ + y^ +y+ 1 +(y^ + y+l)^ 

= y+l+y'' + y^+l 
= y^ + y2 + y 
= y^ + y+ 1 +y^ + y= 1 
Tr(a') =Tr(/) = l 
30 (a*)^ = y6 = (y^)^ = (y^ + 1)^ = y'* + 1 =y^ + y+ 1 + 1 =/ + y 
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Tr((af ) = Tr(y^ + y) = Tr(y^) + Tr(y) = 1 + 1=0 
Thus the key = (1,0) as in basis 1. 

Referring to figure 3, a key agreement scheme according to an embodiment of the 
invention is shown generally numeral 30. The correspondents A and B operate in bases pi and 
5 P2 respectively. The bases pi and p2 may represent any basis. Furthermore A and B each have 
the following system parameters, a long term private key d and a long-term pubhc key Qa = daP 
and Qb = dbP, where Pisa point on an elliptic curve represented in terms of the respective bases. 
The correspondent A represents P in terms of the basis pi and correspondent B represents P in 
terms of basis p2. In a typical Diffie-Hellman key agreement scheme, each of the correspondents 

10 A and B generate respective ephemeral private keys kA and ks and compute a corresponding 
short term (session) public keys kAPpi and kePpa- A and B exchange their respective public keys, 
and convert them to their own basis. If the correspondents are low power devices, such as smart 
cards or the like, then basis conversion may be performed by an intermediate processor such as 
described with reference to figures 1 and 2. Alternatively, if the correspondents have sufficient 

1 5 compiling power, then basis conversion may be performed by the correspondents themselves, 
according to one of many basis conversion methods. In any event, after the basis conversion, 
correspondent A has B's public key (^^^2) pi and B has A's public key (A^^Ppi) p2. A shared 
secret is computed in their respective basis by computing kAikBP^2) pi=api and ksikAP^i) p2=otp2. 
Each of the correspondents takes a sequence of traces of their respective field element a to 

20 derive a common bit string. 

Applying the method to a signature scheme, the correspondent A generates its ephemeral 
public session key kP^\, A trace sequence may be constructed, for example, of the x-coordinate 
of APpi producing a bit string T. The bit string is passed through a hash fimction g to derive a 
signature component r. A second signature component s = (m + dr) is computed, where d is 

25 A's long term private key. The signature components are transmitted to B for verification. The 
verifier B computes E'ms'* Ppj+rs-lQ^ p2,= kP^i where di p2 is the long term public key of A in 
basis 2. This basis conversion could be performed by A using an intermediate H as described 
earlier. B then generates a sequence on the computed value APp2, and applies the hash fimction g 
to derive a value f. If r'=r, then the signature is verified. 
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Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art without 
departing ft^om the spirit and scope of the invention as outlined in the claims appended hereto. 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY 
OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 . A method for basis conversion between a pair of correspondents, said method comprising 
the steps of : 

transmitting the element represented in a first basis from a first correspondent to an 
intermediate processor; 

convCTting the received element into a second basis representation by said intermediate 
processor; 

forwarding said converted element to the first correspondent; and 
operating on said converted element by said first correspondent in a cryptographic 
operation. 

2. In a cryptographic system, a method for generating a basis independent bit string, said 
method comprising the steps of: 

representing a field element in terms of a first basis; 

computing a fimction of a sequence of traces of said field element; and 

using said sequence of traces as said bit string. 

3. A method as defined in claim 2, including the step of using said bit string as a shared 
secret in said cryptogr^hic scheme. 
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